// Copyright (c) HashiCorp, Inc.
// SPDX-License-Identifier: MPL-2.0

package mssqlmanagedinstance

import (
	"fmt"
	"log"
	"time"

	"github.com/hashicorp/go-azure-helpers/lang/pointer"
	"github.com/hashicorp/go-azure-helpers/lang/response"
	"github.com/hashicorp/go-azure-helpers/resourcemanager/commonids"
	"github.com/hashicorp/go-azure-sdk/resource-manager/sql/2023-08-01-preview/managedinstancevulnerabilityassessments"
	"github.com/hashicorp/terraform-provider-azurerm/internal/clients"
	"github.com/hashicorp/terraform-provider-azurerm/internal/services/mssqlmanagedinstance/parse"
	"github.com/hashicorp/terraform-provider-azurerm/internal/services/mssqlmanagedinstance/validate"
	"github.com/hashicorp/terraform-provider-azurerm/internal/tf/pluginsdk"
	"github.com/hashicorp/terraform-provider-azurerm/internal/tf/validation"
	"github.com/hashicorp/terraform-provider-azurerm/internal/timeouts"
)

func resourceMsSqlManagedInstanceVulnerabilityAssessment() *pluginsdk.Resource {
	return &pluginsdk.Resource{
		Create: resourceMsSqlManagedInstanceVulnerabilityAssessmentCreate,
		Read:   resourceMsSqlManagedInstanceVulnerabilityAssessmentRead,
		Update: resourceMsSqlManagedInstanceVulnerabilityAssessmentUpdate,
		Delete: resourceMsSqlManagedInstanceVulnerabilityAssessmentDelete,

		Importer: pluginsdk.ImporterValidatingResourceId(func(id string) error {
			_, err := parse.ManagedInstanceVulnerabilityAssessmentID(id)
			return err
		}),

		Timeouts: &pluginsdk.ResourceTimeout{
			Create: pluginsdk.DefaultTimeout(60 * time.Minute),
			Read:   pluginsdk.DefaultTimeout(5 * time.Minute),
			Update: pluginsdk.DefaultTimeout(60 * time.Minute),
			Delete: pluginsdk.DefaultTimeout(60 * time.Minute),
		},

		Schema: map[string]*pluginsdk.Schema{
			"managed_instance_id": {
				Type:         pluginsdk.TypeString,
				Required:     true,
				ForceNew:     true,
				ValidateFunc: validate.ManagedInstanceID,
			},

			"storage_container_path": {
				Type:         pluginsdk.TypeString,
				Required:     true,
				ValidateFunc: validation.StringIsNotEmpty,
			},

			"storage_account_access_key": {
				Type:         pluginsdk.TypeString,
				Optional:     true,
				Sensitive:    true,
				ValidateFunc: validation.StringIsNotEmpty,
			},

			"storage_container_sas_key": {
				Type:         pluginsdk.TypeString,
				Optional:     true,
				Sensitive:    true,
				ValidateFunc: validation.StringIsNotEmpty,
			},

			"recurring_scans": {
				Type:     pluginsdk.TypeList,
				Optional: true,
				Computed: true,
				MaxItems: 1,
				Elem: &pluginsdk.Resource{
					Schema: map[string]*pluginsdk.Schema{
						"email_subscription_admins": {
							Type:     pluginsdk.TypeBool,
							Optional: true,
							Default:  true,
						},

						"emails": {
							Type:     pluginsdk.TypeList,
							Optional: true,
							Elem: &pluginsdk.Schema{
								Type:         pluginsdk.TypeString,
								ValidateFunc: validation.StringIsNotEmpty,
							},
						},

						"enabled": {
							Type:     pluginsdk.TypeBool,
							Optional: true,
							Default:  false,
						},
					},
				},
			},
		},
	}
}

func resourceMsSqlManagedInstanceVulnerabilityAssessmentCreate(d *pluginsdk.ResourceData, meta interface{}) error {
	client := meta.(*clients.Client).MSSQLManagedInstance.ManagedInstanceVulnerabilityAssessmentsClient
	ctx, cancel := timeouts.ForCreate(meta.(*clients.Client).StopContext, d)
	defer cancel()

	instanceId, err := commonids.ParseSqlManagedInstanceID(d.Get("managed_instance_id").(string))
	if err != nil {
		return err
	}

	id := parse.NewManagedInstanceVulnerabilityAssessmentID(instanceId.SubscriptionId, instanceId.ResourceGroupName, instanceId.ManagedInstanceName, "default")

	vulnerabilityAssessment := managedinstancevulnerabilityassessments.ManagedInstanceVulnerabilityAssessment{
		Properties: &managedinstancevulnerabilityassessments.ManagedInstanceVulnerabilityAssessmentProperties{
			StorageContainerPath:    d.Get("storage_container_path").(string),
			StorageAccountAccessKey: pointer.To(d.Get("storage_account_access_key").(string)),
			StorageContainerSasKey:  pointer.To(d.Get("storage_container_sas_key").(string)),
			RecurringScans:          expandRecurringScans(d),
		},
	}

	if _, err = client.CreateOrUpdate(ctx, *instanceId, vulnerabilityAssessment); err != nil {
		return fmt.Errorf("updating %s: %v", id.ID(), err)
	}

	d.SetId(id.ID())

	return resourceMsSqlManagedInstanceVulnerabilityAssessmentRead(d, meta)
}

func resourceMsSqlManagedInstanceVulnerabilityAssessmentUpdate(d *pluginsdk.ResourceData, meta interface{}) error {
	client := meta.(*clients.Client).MSSQLManagedInstance.ManagedInstanceVulnerabilityAssessmentsClient
	ctx, cancel := timeouts.ForCreate(meta.(*clients.Client).StopContext, d)
	defer cancel()

	id, err := parse.ManagedInstanceVulnerabilityAssessmentID(d.Id())
	if err != nil {
		return err
	}

	instanceId := commonids.NewSqlManagedInstanceID(id.SubscriptionId, id.ResourceGroup, id.ManagedInstanceName)

	vulnerabilityAssessment := managedinstancevulnerabilityassessments.ManagedInstanceVulnerabilityAssessment{
		Properties: &managedinstancevulnerabilityassessments.ManagedInstanceVulnerabilityAssessmentProperties{
			StorageContainerPath:    d.Get("storage_container_path").(string),
			StorageAccountAccessKey: pointer.To(d.Get("storage_account_access_key").(string)),
			StorageContainerSasKey:  pointer.To(d.Get("storage_container_sas_key").(string)),
			RecurringScans:          expandRecurringScans(d),
		},
	}

	if _, err = client.CreateOrUpdate(ctx, instanceId, vulnerabilityAssessment); err != nil {
		return fmt.Errorf("updating %s: %v", id.ID(), err)
	}

	d.SetId(id.ID())

	return resourceMsSqlManagedInstanceVulnerabilityAssessmentRead(d, meta)
}

func resourceMsSqlManagedInstanceVulnerabilityAssessmentRead(d *pluginsdk.ResourceData, meta interface{}) error {
	client := meta.(*clients.Client).MSSQLManagedInstance.ManagedInstanceVulnerabilityAssessmentsClient
	ctx, cancel := timeouts.ForRead(meta.(*clients.Client).StopContext, d)
	defer cancel()

	id, err := parse.ManagedInstanceVulnerabilityAssessmentID(d.Id())
	if err != nil {
		return err
	}

	instanceId := commonids.NewSqlManagedInstanceID(id.SubscriptionId, id.ResourceGroup, id.ManagedInstanceName)
	d.Set("managed_instance_id", instanceId.ID())

	result, err := client.Get(ctx, instanceId)
	if err != nil {
		if response.WasNotFound(result.HttpResponse) {
			log.Printf("[WARN] %s not found", id.ID())
			d.SetId("")
			return nil
		}

		return fmt.Errorf("making read request: %+v", err)
	}

	if result.Model != nil {
		if props := result.Model.Properties; props != nil {
			d.Set("storage_container_path", props.StorageContainerPath)

			if props.RecurringScans != nil {
				if err := d.Set("recurring_scans", flattenRecurringScans(props.RecurringScans)); err != nil {
					return fmt.Errorf("setting `recurring_scans`: %+v", err)
				}
			}
		}
	}
	return nil
}

func resourceMsSqlManagedInstanceVulnerabilityAssessmentDelete(d *pluginsdk.ResourceData, meta interface{}) error {
	client := meta.(*clients.Client).MSSQLManagedInstance.ManagedInstanceVulnerabilityAssessmentsClient
	ctx, cancel := timeouts.ForDelete(meta.(*clients.Client).StopContext, d)
	defer cancel()

	id, err := parse.ManagedInstanceVulnerabilityAssessmentID(d.Id())
	if err != nil {
		return err
	}

	instanceId := commonids.NewSqlManagedInstanceID(id.SubscriptionId, id.ResourceGroup, id.ManagedInstanceName)

	_, err = client.Delete(ctx, instanceId)
	if err != nil {
		return fmt.Errorf("deleting Managed Instance Vulnerability Assessment %s: %+v", id.ID(), err)
	}

	return nil
}

func expandRecurringScans(d *pluginsdk.ResourceData) *managedinstancevulnerabilityassessments.VulnerabilityAssessmentRecurringScansProperties {
	props := managedinstancevulnerabilityassessments.VulnerabilityAssessmentRecurringScansProperties{}

	vs := d.Get("recurring_scans").([]interface{})
	if len(vs) == 0 {
		return &props
	}

	v := vs[0].(map[string]interface{})

	if enabled, ok := v["enabled"]; ok {
		props.IsEnabled = pointer.To(enabled.(bool))
	}

	if emailSubscriptionAdmins, ok := v["email_subscription_admins"]; ok {
		props.EmailSubscriptionAdmins = pointer.To(emailSubscriptionAdmins.(bool))
	}

	if _, ok := v["emails"]; ok {
		emails := make([]string, 0)
		for _, uri := range v["emails"].([]interface{}) {
			emails = append(emails, uri.(string))
		}
		props.Emails = &emails
	}

	return &props
}

func flattenRecurringScans(props *managedinstancevulnerabilityassessments.VulnerabilityAssessmentRecurringScansProperties) []interface{} {
	result := make(map[string]interface{})

	if enabled := props.IsEnabled; enabled != nil {
		result["enabled"] = *props.IsEnabled
	}

	if emailSubscriptionAdmins := props.EmailSubscriptionAdmins; emailSubscriptionAdmins != nil {
		result["email_subscription_admins"] = *props.EmailSubscriptionAdmins
	}

	if props.Emails != nil {
		result["emails"] = *props.Emails
	}

	return []interface{}{result}
}
